Redundant bus controller for bus with several masters

ABSTRACT

The invention relates to a bus controller for a bus ( 7 ) which can be used by several masters, characterized in that it comprises at least two modules ( 7   a,    7   b ) each of which contains an arbiter and an arbiter supervisor, the function of one at least of the arbiter supervisors being to enable the output of the arbiter of the same module as long as it observes that this arbiter is operating correctly and to disable this output when it observes that the arbiter of the same module is not operating correctly.

[0001] The present invention relates to a redundant bus controller for abus which can be used by several masters.

[0002] It is known that buses which can be accessed by several mastersare managed by arbiters which successively grant access authorizationsto the various masters, following access requests issued by thesemasters.

[0003] In the event of a conflict between two masters simultaneouslyrequesting access to the bus, the arbiter grants access to the masterpossessing the highest priority, by applying a particular algorithm formanaging priorities.

[0004] An exemplary bus which can be accessed by several masters is thatof a cluster of computers linked by this bus. The computers of thecluster communicate with one another via the bus, either directly, or byway of a local network simulation using the physical structure of thebus.

[0005] In such clusters, it is vital for the arbiter to operate in areliable and dependable manner, otherwise the entire cluster, that is tosay each of the computers of which it is composed, will be out ofservice.

[0006] The present invention aims to provide a fault tolerant buscontroller exhibiting a high level of reliability.

[0007] Furthermore, in a particular version, the bus controlleraccording to the invention is able to ensure continuity of operation ofthe bus, including during the phases of maintenance of the saidcontroller.

[0008] The subject of the present invention is a bus controllercharacterized in that it comprises at least two modules each of whichcontains an arbiter and an arbiter supervisor, the function of one atleast of the arbiter supervisors being to enable the output of thearbiter of the same module as long as it observes that this arbiter isoperating correctly and to disable this output when it observes that thearbiter of the same module is not operating correctly.

[0009] In the controller according to the invention, each module is thesubstitute for the other and the probability that the controller isunable to manage the bus access requests is very low since itcorresponds to a simultaneous failure of both modules.

[0010] In a first embodiment of the invention, the two arbiters aresynchronized by the same clock and deliver bus access authorizationssimultaneously, the output of the two arbiters being combined by an orgate which delivers a single bus access authorization.

[0011] It is advantageous, in this embodiment, that each module includesits own clock and that a synchronization device external to the twomodules synchronizes their two clocks.

[0012] In this case, it is the same synchronized clocks signal which issent to both modules and to the bus, so that the bus read/write cyclescoincide with the deliveries of access authorizations.

[0013] In a second embodiment of the invention, one of the two modulesis predominant, its supervisor then fulfils an additional functionconsisting in disabling the output of the arbiter of the other modulewhen it enables that of the arbiter of the same module.

[0014] In this case, the output of the second arbiter is routinelydisabled as long as the first arbiter is operating correctly. It isenabled only when the first arbiter is no longer operating.

[0015] In a preferred embodiment of the invention, each moduleconsisting of an arbiter and its supervisor is constructed in the formof a daughter card which can be inserted into and extracted from amother card constituting, together with the two daughter cards, the buscontroller according to the invention.

[0016] Given the manner of operation of the supervisor of the arbiter ineach module, the hot insertion and extraction of a module can beachieved on the sole condition that the module which remains on themother card is operational.

[0017] In a particular embodiment of the invention, the output signalgenerated by a supervisor so as to signal that the arbiter is operatingcorrectly is a nonconstant signal, for example a square signal.

[0018] This arrangement makes it possible to discern a malfunctioning ofthe supervisor as soon as a constant signal is detected at its output,whether this signal be high or low.

[0019] The manner of operation of a controller according to theinvention will now be described with reference to the appended figuresin which:

[0020]FIG. 1 is a perspective view of a cluster of computers using a busarbitrated by a controller according to the invention,

[0021]FIG. 2 is a diagrammatic view of the architecture of the bus ofthe cluster of FIG. 1,

[0022]FIG. 3 is a schematic diagram of a module of a controlleraccording to the invention,

[0023]FIG. 4 is a schematic diagram of a controller according to a firstembodiment of the invention,

[0024]FIG. 5 is a schematic diagram of a controller according to asecond embodiment of the invention.

[0025] The cluster of computers 1 represented in FIG. 1 comprises a box2 of general parallelepipedal shape which contains eight removable cards3 a to 3 h mounted on the box in such a way that each is slotted into alocation of an internal bus 7 which can be seen in FIG. 2.

[0026] The box 2 also houses in a common part 4, a hard disk 5 and aremovable disk drive 6.

[0027] The cards 3 a to 3 g are processor cards each constituting acomputer of the cluster.

[0028] The card 3 h is a bus controller card which supports two daughtercards 7 a, 7 b, each of which is removable with respect to the card 3 h.

[0029] Locking tabs 8 are fitted to each of the processor cards 3 a to 3h. Other locking tabs 9 are fitted to the daughter cards 7 a and 7 b.

[0030] In FIG. 2 may be seen the bus 7, on which are mounted the eightcards 3 a to 3 h, this latter being furnished with the two daughtercards 7 a and 7 b.

[0031] As is known in the case of a bus serving several masters, each ofthe processor cards 3 a to 3 g makes bus access requests REQ, whichaccess requests are authorized by the controller card 3 h as a functionof the priorities assigned to each of the cards.

[0032] The overall manner of operation of the controller card is that ofa conventional arbiter, that is to say that on receiving an accessrequest REQ, the controller card delivers an authorization GT whichallows the requesting master to monopolize the bus during a given periodof time, after which it releases the bus.

[0033] However, unlike a traditional arbiter, the controller card of thedescribed device here contains two arbiter modules, embodied by the twodaughter cards 7 a and 7 b, each of which modules consists of an arbiterand an arbiter supervisor.

[0034] The structure of a module is provided in FIG. 3, in which it maybe seen that at input, the module receives the access requests REQ andclock pulses CLK and that at output, the module delivers a verifiedaccess authorization GTV.

[0035] The module houses a traditional arbiter 10 which accepts at inputthe access requests REQ and delivers at output access authorizations GT.

[0036] The other components of the module make up the arbitersupervisor, which verifies the proper operation of the arbiter 10 andenables the authorizations given by this arbiter. To this end, themodule includes a bistable flip-flop 11, another bistable flip-flop 12,an [AND] gate 13, a shift register 14, an [AND] gate 15, a bistableflip-flop 16, a bistable flip-flop 17, an [AND] gate 18, an [AND] gate19, an inverting gate 20 and an [AND] gate 21.

[0037] The manner of operation of this module will now be described.

[0038] On receiving an access request REQ, the arbiter delivers anauthorization GT. The request REQ causes the bistable flip-flop 11 totoggle to a high value (or true value). This high value in turn causesthe bistable flip-flop 12 to toggle upon the first clock pulse providedby the clock CLK. The output of this second bistable flip-flop 12 isinverted and sent to the [AND] gate 13 in combination with theauthorization GT provided by the arbiter.

[0039] The output of this [AND] gate feeds the shift register 14.

[0040] A clock pulse is provided by the inverting gate 20 at the inputof the shift register 14 so as to cause the shifting of the inputs inthe register.

[0041] After four clock pulses, the three outputs of the registerfeeding the [AND] gate 15 enable the latter, thereby providing a high(or true) signal V indicating that, during at least four clock cycles,the arbiter has delivered an authorization GT following the request REQ.

[0042] This output V confirms the proper operation of the arbiter.

[0043] The enabling output is provided to the [AND] gate 21 which thusallows through the signal arising from the [AND] combination 19 of theaccess request REQ and of the authorization GT so as to provide anenabled access authorization GTv.

[0044] The arbiter enabling output signal V is also combined with theclock signals in a resetting subcircuit (delimited by a broken line 22)so as to provide, after a few clock pulses, a resetting signal RST forresetting the first bistable flip-flop 11 so that the enabling output Vswitches back to the low level.

[0045] The proper operation of the arbiter is thus supervised.

[0046] Represented in the embodiment of FIG. 4 are the two arbitermodules 7 a, 7 b, which operate in a symmetrical manner, each providingan access authorization on request from the controller cards.

[0047] Each arbiter module delivers a validated authorization for accessGTv1 and GTv2 to the bus by applying the same rules to the accessrequests received REQ.

[0048] The manner of operation of the two arbiter modules issynchronized by a synchronization module 23 which forces the twointernal clocks CLK1 and CLK2 of the two arbiter modules to operate atthe same rate, by returning a common clock signal CLK to each module,which signal is also provided to the bus 7. The bus accessauthorizations GTv1 and GTv2 are consequently strictly identical whenthe two arbiter modules are operating correctly.

[0049] The two access authorization signals GTv1 and GTv2 are combinedin an [OR] gate 24 delivering a single bus access authorization signalGTv.

[0050] If one of the two arbiters or arbiter supervisors becomesdefective, the corresponding module ceases to deliver accessauthorizations and the corresponding signal GT_(v)i is held at a lowlevel (corresponding to the false logic value).

[0051] The structure of each arbiter module is such that anymalfunctioning of the internal arbiter or of its supervisor causes thesignal GT_(v)i to be set to a low level.

[0052] The security of operation afforded by such a controller cardstems from the fact that it is sufficient for just one of the twoarbiter modules to be operating normally in order for the signal GTv tobe provided at the output of the controller card.

[0053] The defective arbiter module signals itself to the maintenanceoperator by any means whatsoever, for example by virtue of alight-emitting diode placed on the facade of the card 7 a or 7 b.

[0054] The defective arbiter module can then be substituted withoutdifficulty, given that the functioning arbiter module alone ensuresdelivery of the access authorizations GTv.

[0055] In the embodiment of FIG. 5, one 7 a of the two arbiter modulesis regarded as the main arbiter, the other 7 b being regarded as thesecondary arbiter.

[0056] The two arbiter modules are linked together by a logic circuitconsisting of two filters 25, 26 and an [AND] gate 27:

[0057] As long as the main module 7 a is operating correctly, the accessauthorization signal V2 delivered by the secondary module 7 b is blockedand only the access authorization signal GTv1 originating from the mainmodule reaches the bus.

[0058] If main module 7 a ceases to operate normally, whether this bebecause of a malfunctioning of the arbiter or a failure of thesupervisor, its enabling signal V1 becomes false, thereby blocking thesignal GT_(v) 1 for authorizing access to the bus and the bus accessauthorization output signal GT_(v) 2 of the secondary module isactivated.

[0059] In each of the above two embodiments, a particular variant may beapplied, consisting in providing an enabling output V₁ in the form of anonconstant signal, for example square, so as to guarantee that theproper operation of one of the two arbiter modules is not erroneouslydiagnosed on account of an accidental setting to the expected value ofthis enabling signal, given that it is rather improbable that a failureoutput signal will accidentally be nonconstant and still less probablethat this nonconstant signal will be precisely the expected nonconstantsignal.

[0060] As indicated in the general description, each of the arbitermodules is designed so as to be able to be hot extracted from thecontroller card, this being readily understood on account of the factthat the two arbiter modules are always ready to take over from oneanother.

[0061] The invention is in no way limited to the embodiments justdescribed, which are provided merely by way of examples.

1. Bus controller for a bus (7) which can be used by several masters (3a-3 g), characterized in that it comprises at least two modules (7 a, 7b) each of which contains an arbiter (10) and an arbiter supervisor, thefunction of one at least of the arbiter supervisors being to enable theoutput (GT) of the arbiter of the same module as long as it observesthat this arbiter is operating correctly and to disable this output whenit observes that the arbiter of the same module is not operatingcorrectly.
 2. Bus controller according to claim 1 , characterized inthat the two arbiters are synchronized by the same clock (CLK) anddeliver bus access authorizations (GT_(v) 1, GT_(v) 2) simultaneously,the output of the two arbiters being combined by an [or] gate (24) whichdelivers a single bus access authorization (GT_(v)).
 3. Bus controlleraccording to claim 2 , characterized in that each module (7 a, 7 b)includes its own clock (CLK1, CLK2) and that a synchronization device(23) external to the two modules synchronizes their two clocks.
 4. Buscontroller according to any one of claims 1 to 3 , characterized in thatone (7 a) of the two modules is predominant, its supervisor then fulfilsan additional function consisting in disabling the output (GT_(v) 2) ofthe arbiter of the other module (7 b) when it enables that of thearbiter of the same module.
 5. Bus controller according to any one ofclaims 1 to 4 , characterized in that each module consisting of anarbiter and its supervisor is constructed in the form of a daughter card(7 a, 7 b) which can be inserted into and extracted from a mother cardconstituting, together with the two daughter cards, the bus controlleraccording to the invention.
 6. Bus controller according to any one ofclaims 1 to 5 , characterized in that the output signal (V) generated bya supervisor so as to signal that the arbiter is operating correctly isa nonconstant signal, for example a square signal.